[Apparmor-dev] A command line tool to add to a profile?

[Christian Boltz]

Hello,

Am Mittwoch, 2. Mai 2007 schrieb Mark Dalton:
> I read through previous mails and FAQs, and I did not find a command
> line tool to add a definition/allowed directory to a existing
> definition.    It would be useful for RPMs of packages or a easy
> command for a admin for a set of servers.

I'm doing the following in a script to add hats to the apache profile:
(read the explanations and warnings below before using it!)

---------------------------------------------------------------------
apacheprofile=/etc/apparmor.d/usr.sbin.httpd2-prefork
username=newuser # $1 in the real script

grep "vhost_$username" "$apacheprofile" >/dev/null || {
    sed '/^}/ d' < "$apacheprofile" > "$tmpprofile" || exit 2

echo "
  ^vhost_$username flags=(complain) {
    #include <abstractions/vhost_$username>
  }
}" >> "$tmpprofile" || exit 3

mv "$tmpprofile" "$apacheprofile" || exit 4
}
rcapparmor reload
---------------------------------------------------------------------

grep is used to check if the requested line is already there. If not, 
the closing "}" is removed from the profile and the new hat (and 
the "}") is added.

Be warned that this is a WORKSFORME solution - it will break if you have 
hats without whitespace in front of the "}" for example.
I only use this script on servers I administrate and don't recommend to 
use it in packages you want to distribute.


Regards,

Christian Boltz
-- 
[jeder ausgehenden Mail einen Text anhängen] Warum willst Du das denn
im MTA lösen? Für eine solche Aufgabe ist eindeutig der MUA zuständig.
Du baust ja auch nicht alle 100m ein Auffangnetz in die Autobahn, wenn
Dein Auto keine Bremsen hat.   [Erhard Schwenk in suse-linux]